creds obtained using `get_session_token` fail in `iam` requests, but work with `sts` or `s3` requests

[s-u]

Please specify whether your issue is about:

• [x] a possible bug
• [ ] a question about package functionality
• [ ] a suggested code or documentation change, improvement to the code, or feature request

iam API calls fail in sessions created with get_session_token()

> get_session_token(use=TRUE)
> str(list_roles())
List of 3
 $ Code   : chr "InvalidClientTokenId"
 $ Message: chr "The security token included in the request is invalid"
[...]
> str(get_caller_identity())
List of 3
 $ Account: chr "111111111111"
 $ Arn    : chr "arn:aws:iam::111111111111:user/xxxxx"
 $ UserId : chr "AIDAXXXXXXXXXX"
> aws.s3::bucketlist()
                       Bucket             CreationDate
[...]

Given that the error is "InvalidClientTokenId" and not "AccessDenied" this looks like some possible issue in handling the request. Note, however, that it is unique to iam and does not happen with sts (or S3).

[s-u]

Ok, this appears to be an Amazon policy:

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_getsessiontoken.html

The temporary credentials that you get when you call GetSessionToken have the following capabilities and limitations: You cannot use the credentials to call IAM or AWS STS API operations. You can use them to call API operations for other AWS services.